{"id":1053,"date":"2021-05-18T09:07:28","date_gmt":"2021-05-18T09:07:28","guid":{"rendered":"https:\/\/www.ishygddt.xyz\/~blog\/?p=1053"},"modified":"2022-03-08T18:50:53","modified_gmt":"2022-03-08T18:50:53","slug":"getting-opennic-to-work-with-pfsense","status":"publish","type":"post","link":"http:\/\/www.ishygddt.xyz\/~blog\/2021\/05\/getting-opennic-to-work-with-pfsense","title":{"rendered":"Getting OpenNIC to work with pfSense"},"content":{"rendered":"<p>If you're using an alternate DNS root server such as OpenNIC, and your network uses a pfSense-based router, you may find that clients are, strangely, unable to resolve unofficial TLDs, getting <code class=\"\" data-line=\"\">SERVFAIL<\/code> or <code class=\"\" data-line=\"\">NXDOMAIN<\/code>.<\/p>\n<p>There are 3 ways I can think of to quickly solve this problem for the whole network, listed here in increasing order of complication:<\/p>\n<h2>1. Disable the DNS resolver<\/h2>\n<p>Go to Services &gt; DNS Resolver &gt; Enable, and uncheck it. Then save, reload, and re-connect your clients, and they'll be using your configured DNS servers directly and without asking pfSense to be an intermediary!<\/p>\n<h2>2. Set the DNS resolver to forwarding mode<\/h2>\n<p>Simply change the following two settings, save, and reload:<\/p>\n<ul>\n<li><label class=\"col-sm-2 control-label\">Services &gt; DNS Resolver &gt; DNS Query Forwarding \u2014 <strong>check this box<\/strong><br \/>\n<\/label><\/li>\n<li>Services &gt; DNS Resolver &gt; Advanced Settings &gt; Advanced Resolver Options &gt; <label class=\"col-sm-2 control-label\"> Harden DNSSEC Data \u2014 <strong>uncheck this box<\/strong><\/label><\/li>\n<\/ul>\n<p>This will make it (1) actually <em>use<\/em> your configured DNS servers instead of bootstrapping all its queries from the root hints, and (2) not return <code class=\"\" data-line=\"\">SERVFAIL<\/code> when it fails to find an IANA DNSSEC chain leading to OpenNIC's homesteaded bit of the root zone.<\/p>\n<h2>3. <a href=\"https:\/\/wiki.opennic.org\/opennic\/tier2setup#configuration_options\">Set the root-hints file<\/a><\/h2>\n<p>First, go to Diagnostics &gt; Shell Prompt &gt; Execute Shell Command and execute:<\/p>\n<pre><code class=\"language-shell\" data-line=\"\">dig NS . @168.119.153.26 | tee \/var\/unbound\/opennic.root<\/code><\/pre>\n<p>Then, go to Services &gt; DNS Resolver &gt; General Settings &gt; Custom Options and add the following:<\/p>\n<pre><code class=\"language-yaml\" data-line=\"\">root-hints: opennic.root<\/code><\/pre>\n<p>Finally, go to Services &gt; DNS Resolver &gt; Advanced Settings &gt; Advanced Resolver Options &gt; <label class=\"col-sm-2 control-label\"> Harden DNSSEC Data \u2014 <strong>uncheck this box<\/strong>, then save and reload<br \/>\n<\/label><\/p>\n<p>[TODO: get any <code class=\"language-yaml\" data-line=\"\">trust-anchor-*:<\/code> option working\u2026]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>If you're using an alternate DNS root server such as OpenNIC, and your network uses a pfSense-based router, you may find that clients are, strangely, unable to resolve unofficial TLDs, getting SERVFAIL or NXDOMAIN. There are 3 ways I can think of to quickly solve this problem for the whole network, listed here in increasing &hellip;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,96],"tags":[88,130,131,132],"class_list":["post-1053","post","type-post","status-publish","format-standard","hentry","category-drafts","category-howto","tag-dns","tag-opennic","tag-pfsense","tag-unbound"],"_links":{"self":[{"href":"http:\/\/www.ishygddt.xyz\/~blog\/wp-json\/wp\/v2\/posts\/1053","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.ishygddt.xyz\/~blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.ishygddt.xyz\/~blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.ishygddt.xyz\/~blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/www.ishygddt.xyz\/~blog\/wp-json\/wp\/v2\/comments?post=1053"}],"version-history":[{"count":7,"href":"http:\/\/www.ishygddt.xyz\/~blog\/wp-json\/wp\/v2\/posts\/1053\/revisions"}],"predecessor-version":[{"id":1365,"href":"http:\/\/www.ishygddt.xyz\/~blog\/wp-json\/wp\/v2\/posts\/1053\/revisions\/1365"}],"wp:attachment":[{"href":"http:\/\/www.ishygddt.xyz\/~blog\/wp-json\/wp\/v2\/media?parent=1053"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.ishygddt.xyz\/~blog\/wp-json\/wp\/v2\/categories?post=1053"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.ishygddt.xyz\/~blog\/wp-json\/wp\/v2\/tags?post=1053"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}